PRIVACY POLICY PHISHED.IO (US)

Privacy Policy phished.io (US) 
Version 2026-05 - Effective Date: May 1, 2026

Phished BV ("Phished," "we," "us," or "our") is committed to protecting your personal information in accordance with applicable U.S. privacy laws, including the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), and other applicable state and federal privacy laws.

This Privacy Policy applies to all of Phished's digital channels and services, including the main website (phished.io), the Phished Academy (phishedacademy.io), the Security Overview (security.phished.io), and all other websites, apps, or digital services offered or operated by Phished. Where this policy refers to "the website" or "our services," this includes all of the above.

1. Who We Are

Phished BV, with its principal place of business at Bondgenotenlaan 138, 3000 Leuven, Belgium (company registration number 0735.908.019), is the business responsible for the processing of personal information collected through this website and associated services for the purposes described in this Privacy Policy.

2. Contact Information

If you have questions or concerns about this Privacy Policy, please contact our Privacy Officer at: [email protected].

Our Privacy Officer can be reached via [email protected] or by post at: Phished, attn. the Privacy Offer, Bondgenotenlaan 138, 3000 Leuven, Belgium.

If you wish to exercise any of your privacy rights (see Section 9), please contact us at the same address. When submitting a rights request, please clearly identify which right you wish to exercise and be as specific as possible.

3. Personal Information We Collect

Depending on your relationship with Phished, we collect the following categories of personal information:

  1. Customers (and their representatives): General identifiers (such as name, title/position, address, mobile/phone number, email, assigned identifiers); financial identifiers (such as identification and bank account numbers); financial transactions (such as amounts paid or payable); compensation; professional activities (including company name, nature of business, goods/services used, and business relationships); contracts and agreements with Phished; and any other personal information lawfully provided to Phished. The source of this information is you or your employer.
    1. Partners (and their representatives): General identifiers (such as name, title/position, address, mobile/phone number, email, assigned identifiers); financial identifiers (such as identification and bank account numbers); financial transactions (such as amounts paid or payable); compensation; professional activities (including company name, nature of business, goods/services used, and business relationships); contracts and agreements with Phished; and any other personal information lawfully provided to Phished. The source of this information is you or your employer.
    2. Prospects (and their representatives): General identifiers (such as name, title/position, address, mobile/phone number, email); professional activities (including nature of business, goods/services of interest, and business relationships); and any other personal information lawfully provided to Phished. The source of this information is you or your employer.
    3. Vendors and Suppliers (and their representatives): General identifiers (such as name, title/position, address, mobile/phone number, email, assigned identifiers); financial identifiers (such as identification and bank account numbers); financial transactions (such as amounts paid or payable); compensation; professional activities (including nature of business and goods/services provided); contracts and agreements with Phished; and any other personal information lawfully provided to Phished. The source of this information is you or your employer.
    4. Job Applicants: All personal information lawfully provided to Phished, such as a resume and/or cover letter.
    5. Website Visitors: Personal information collected through cookies (see our Cookie Policy) and information submitted via a contact form.
    6. Social Media Users: Personal information provided by users on social media channels, used for advertising purposes.

In the course of its business activities, Phished may also act as a service provider with respect to your personal information (for example, when sending a phishing simulation to an audience designated by a customer). In those cases, Phished's processing as a service provider is governed by the agreement between Phished and the relevant business and is not covered by this Privacy Policy. For that context, please refer to our Privacy Policy for End Users.

If you provide us with personal information about a third party (such as your employees, freelancers, customers, vendors, or partners) you represent to Phished that you: (a) have lawfully obtained that personal information from the third party and are lawfully providing it to Phished; (b) are providing Phished with accurate and up-to-date personal information; and (c) have informed that individual about the existence and content of this Privacy Policy.

4. Purposes for Collecting Personal Information

You are not required to share personal information with us. However, if you do not provide certain information, we may not be able to deliver the products or services you request. We process personal information for the following purposes:

  1. Performance of a Contract: Creating a personal account and/or profile; performing and managing contractual obligations (including related communications); invoicing; and customer service and support.
    1. Website Purchases: Processing orders and fulfilling purchase agreements made through the website (including related communications), and invoicing.
    2. Marketing Communications: Sending notifications via email and/or newsletters. If you no longer wish to receive these communications, you may opt out at any time using the unsubscribe mechanism provided. Once you opt out, we will stop sending you unwanted marketing messages and will no longer process your personal information for that purpose.
    3. Job Applicant Management: Evaluating applicants for open positions, conducting recruitment and selection activities, and, where applicable, preparing an employment agreement.
    4. Business Operations and Security: Improving and optimizing our services (including through the use of cookies and social media advertising); maintaining and improving the website (including through the use of cookies); ensuring the security of our website and services; preventing misuse or abuse of our services; retaining personal information as evidence for potential legal, administrative, or out-of-court proceedings; retaining personal information for the purpose of obtaining or maintaining insurance coverage, managing risk, or obtaining expert advice; and ensuring attendance at or participation in events.
    5. Compliance with Legal Obligations: Processing personal information as required to comply with applicable laws and regulations, including anti-money laundering and counter-terrorism financing requirements.
    6. Contact Form Responses: Responding to inquiries submitted through a contact form on our website or through other means of contact. We process the information provided in connection with your inquiry in order to assist you effectively.

5. Why We Collect Your Information

We collect personal information for the business and operational purposes described in Section 4. Here is a summary of why we collect each type:

  • Customer and partner information is collected to fulfill our contractual obligations, deliver our services, process payments, and provide customer support.

  • Prospect information is collected to respond to your inquiries and, where you have opted in, to send you marketing communications. You can opt out of marketing emails at any time using the unsubscribe link in any message we send.

  • Job applicant information is collected to evaluate candidates for open positions at Phished.

  • Website visitor information (including cookie data) is collected to keep our website running, analyze how it is used, and improve our services. See our Cookie Policy for details.

We may also retain or use personal information to comply with applicable laws and regulations, to respond to lawful requests from government authorities, to enforce our agreements, and to protect the rights, safety, and property of Phished and others.

6. Disclosure of Personal Information to Third Parties

We disclose personal information to third parties only when those parties are contractually bound to Phished or are acting on behalf of or under contract with Phished. We have put in place appropriate data protection agreements with all such parties.

Phished may disclose personal information where required to comply with a legal obligation. We may also disclose personal information where necessary to establish, exercise, or defend a legal claim in judicial, administrative, or out-of-court proceedings.

Phished does not sell your personal information. Phished does not share your personal information with third parties for cross-context behavioral advertising. We recognize and honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal when you visit our website, we treat it as a request to opt out of the sale or sharing of your personal information. Because Phished does not sell personal information and does not share it for cross-context behavioral advertising, a GPC signal will not change how we process your data, but we acknowledge and honor it as required by applicable law.

We may transfer personal information to recipients located outside the United States. Where we do so, we implement appropriate safeguards, where we rely on legally recognized transfer mechanisms, including the EU-U.S. Data Privacy Framework where applicable.

In the event of a full or partial reorganization, merger, demerger, acquisition, or asset sale, we may transfer personal information to the relevant third party as part of that transaction.

Please be aware that personal information you submit for publication through our website or services may be accessible worldwide via the internet. We cannot prevent others from using or misusing such information once it is publicly accessible.

7. Retention and Deletion of Personal Information

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy. Retention periods vary depending on the purpose and the type of personal information involved.

8. Automated Decision-Making and Profiling

Phished does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you.

9. Your Privacy Rights

Depending on your state of residence, you may have certain rights regarding your personal information. These rights apply to residents of California, Virginia, Colorado, Connecticut, and other states with applicable privacy laws. To submit a request, contact us at [email protected]. We will respond to verifiable requests within 45 days. We may need to verify your identity before processing your request. Please specify which right you wish to exercise and provide enough information for us to verify your identity. We will not require you to create an account to submit a request, and we will not use your information for any purpose other than processing your request.

  1. Right to Know: You may have the right to request that we disclose the categories of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected about you.
    1. Right to Correct: You may have the right to request that we correct inaccurate personal information we maintain about you.
    2. Right to Delete: You may have the right to request that we delete personal information we have collected from you, subject to certain exceptions. For example, we may retain personal information where necessary to complete a transaction, detect security incidents, comply with a legal obligation, or for other purposes permitted under applicable law.
    3. Right to Data Portability: Where technically feasible, you may request that we provide your personal information in a portable format that allows you to transmit it to another business.
    4. Right to Opt Out of Sale or Sharing: Phished does not sell your personal information and does not share it for cross-context behavioral advertising. If this changes in the future, we will update this Privacy Policy and provide you with the right to opt out.
    5. Right to Limit Use of Sensitive Personal Information: To the extent we collect sensitive personal information (as defined under applicable law), we use it only to the extent necessary to deliver our services and for other permitted purposes. We do not use or disclose it for inferring characteristics about you.
    6. Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
    7. Right to Opt Out of Targeted Advertising: Phished does not engage in targeted advertising using your personal information collected from our website. If this changes, we will notify you and provide an opt-out mechanism.
    8. Right to Appeal: If we deny your privacy request, you may appeal our decision by contacting us at [email protected]. We will respond to your appeal within the timeframe required by your state's law. If your appeal is denied, you may contact your state Attorney General's office.
    9. Filing a Complaint If you believe your privacy rights have been violated, you may file a complaint with your state Attorney General's office or, for California residents, with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

10. Cookies

You can find more information about our use of cookies via the following link.

11. Updates to This Privacy Policy

Phished reserves the right to update this Privacy Policy from time to time to reflect technological developments, changes in applicable law, and evolving business practices. The current version and its effective date will always be indicated at the top of this document.

Privacy Policy for End Users (US)
Version 2026-05 - Effective Date: May 1, 2026

Phished BV ("Phished," "we," "us," or "our") is committed to protecting your personal information in accordance with applicable U.S. privacy laws, including the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), and other applicable state and federal privacy laws.

Phished processes your personal information on behalf of and at the direction of its customer, the organization that uses our services. In this context, Phished acts as a "service provider" or "contractor" as those terms are defined under applicable U.S. law. The customer organization (the "Business") determines the purposes and means of the processing and is responsible for its own privacy practices.

The Business may have its own privacy policy governing how your personal information is processed by Phished. This Privacy Policy should be read together with that policy. In the event of any conflict, the Business's privacy policy takes precedence, as specific arrangements may exist between you and your organization.

1. Your Organization (the Business)

Your employer or organization (the "Business") has designated you as an end user of the following services (the "Services") provided by Phished:

  • Creation of a Phished user account for the Business's employees and personnel (collectively, "Users");

  • Delivery of simulated phishing attacks to logged-in Users of the Business;

  • Cybersecurity awareness training through the Phished Academy, including threat alerts, cyber hygiene guidance, a Behavioral Risk Score (BRS), an AI-powered cyber assistant (Aria), and reporting features;

  • Automated delivery (via web portal) of detailed reports on training and simulation results;

  • A zero-trust email and browser security solution that automatically secures incoming emails and links (Zero Incident Mail / Secure Before You Click), where applicable;

  • The Phished Assistant (Aria), an AI-powered cyber assistant that enables Users to report, analyze, and receive security support for emails, where applicable.

The Business and Phished have entered into an agreement governing the delivery of these Services.

2. Service Provider

Phished BV, with its principal place of business at Bondgenotenlaan 138, 3000 Leuven, Belgium (company registration number 0735.908.019), acts as a service provider with respect to the processing of your personal information for the purpose of delivering the Services.

3. Contact Information

If you have questions or concerns about this Privacy Policy, please contact our Privacy Officer at: [email protected].

Our Privacy Officer can be reached via [email protected] or by post at: Phished, attn. the Privacy Offer, Bondgenotenlaan 138, 3000 Leuven, Belgium.

To exercise any of your privacy rights (see Section 9), please contact the Business directly. Phished will not independently process rights requests from Users, unless explicitly instructed to do so by the Business.

4. Personal Information We Collect

We collect the following categories of personal information in all cases:

  • Name;

  • Email address;

  • Language preference;

  • Login, authentication, and security data (including user credentials, SSO/identity provider data, and access logs);

  • Open, click, and report behavior and results relating to the Phished Academy and phishing simulations; risk scores and Behavioral Risk Score (BRS); and User interactions with alerts, notifications, and security recommendations.

Depending on the Business's configuration, we may also collect:

  • Department and/or job title;

  • Geographic location of the company or office where you are employed;

  • Mobile phone number;

  • Profile photo (when authenticating via Microsoft SSO);

  • Email data relating to reported emails, depending on the settings enabled in the Business's Phished account:

    • If the Business has enabled "handle reports in the application" or "handle reports in the application and forward reports by email," and a potential phishing email is reported:

      • Via the Phished Report Button in Gmail: Phished processes only the body of Gmail messages (including attachments), metadata, headers, and settings, to identify the email as a Phished simulation or a potential phishing threat. This data is encrypted and processed in compliance with Google API Services User Data Policy, including Limited Use requirements.

      • Via the Phished Report Button in Outlook: Phished processes only Outlook message bodies (including attachments), metadata, headers, and language settings, to identify an email as a Phished simulation or a potential phishing threat. This data is encrypted.

      • Via forwarding: Phished processes only the message body (including attachments) and headers to identify an email as a Phished simulation or a potential phishing threat. This data is encrypted.

    • If the Business has selected only the "forward reports by email" option, Phished will not process these emails.

  • Cyber Assistant Aria usage data, if an administrator enables this feature: prompts entered by Users (admin-profile only), the English translation of the prompt, and Aria's response;

  • Email security and analysis data, if the Business uses the zero-trust email security or Phished Assistant features: email messages (including attachments), email headers and metadata, and technical data required to open links or email content in a secure environment. Data processed through the Phished Assistant is held only temporarily in volatile memory, for a maximum of 10 minutes per session, after which it is automatically deleted.

This information is provided to Phished by the Business, which: (a) has lawfully obtained such personal information from you and lawfully provided it to Phished; (b) has provided Phished with accurate and up-to-date personal information; and (c) will provide you with relevant information about the processing activities.

5. Purposes for Collecting and Using Personal Information

We process personal information because it is necessary to deliver the Services. We process your personal information for the following purposes, on behalf of and as directed by the Business:

  • Making the Phished platform available in accordance with the agreement between Phished and the Business, including creating a user account for you and ensuring the platform functions correctly;

  • Providing login, authentication, access management, and platform security;

  • Increasing Users' awareness of cybersecurity threats and improving the Business's overall cyber resilience through the Phished platform, including by:

    • Sending and receiving communications via email, SMS, or voice message (depending on settings configured by the Business), such as phishing simulation notifications or alerts regarding suspected real phishing emails. These communications are not marketing messages. If you no longer wish to receive them, please contact the Business directly. Only the Business can instruct us to stop sending these communications. Note that doing so may reduce the effectiveness of your cybersecurity training, and the Business may determine that ongoing training is necessary for its cybersecurity program and may decline your request on that basis (for example, because participation of all employees is required as part of the organization's security policy);

    • Making email reporting available to identify Phished simulations and real phishing threats;

    • Detecting, analyzing, and mitigating phishing and other cybersecurity threats;

    • Securing email traffic through zero-trust and other security mechanisms, where applicable;

    • Providing AI-driven phishing detection, security assistance, and user support via Cyber Assistant Aria, where applicable;

    • Continuously measuring User engagement with the Phished Academy, including through training modules and question sets from Phished or the Business;

    • Storing phishing simulation results;

    • Making phishing simulation results available to the Business through statistics and reports;

    • Continuously refining and adapting phishing simulations.

Phished will not use your personal information for any purpose other than delivering the Services or fulfilling its obligations under its agreement with the Business. Phished processes personal information solely on the documented instructions of the Business.

6. Disclosure of Personal Information to Third Parties

We disclose personal information to third parties only when those parties are contractually bound to Phished or are acting on behalf of or under contract with Phished. We have put in place appropriate data protection agreements with these parties. The Business is informed about these sub-service providers in the agreement between Phished and the Business.

Phished may disclose personal information where required to comply with a legal obligation. We may also disclose personal information where necessary to establish, exercise, or defend a legal claim in judicial, administrative, or out-of-court proceedings.

Phished does not sell your personal information. Phished does not share your personal information with third parties for cross-context behavioral advertising. We recognize and honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal when you visit our website, we treat it as a request to opt out of the sale or sharing of your personal information. Because Phished does not sell personal information and does not share it for cross-context behavioral advertising, a GPC signal will not change how we process your data, but we acknowledge and honor it as required by applicable law.

We may transfer personal information to recipients located outside the United States. Where we do so, we implement appropriate safeguards, where we rely on legally recognized transfer mechanisms, including the EU-U.S. Data Privacy Framework where applicable.

In the event of a full or partial reorganization, merger, demerger, acquisition, or asset sale, we may transfer personal information to the relevant third party as part of that transaction.

7. Retention and Deletion of Personal Information

Personal information is retained for the duration of the agreement between Phished and the Business, and is deleted 12 months after your account becomes inactive following termination of that agreement. Unless otherwise agreed between Phished and the Business, Phished may continue to use anonymized, aggregated data that does not constitute personal information for the purpose of improving its services.

The Business may contact Phished at any time to request the anonymization or deletion of specific personal information, for example if you are no longer employed by or affiliated with the Business. To submit such a request, please contact the Business directly.

8. Automated Decision-Making and Profiling

Phished does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you.

The Phished platform calculates a Behavioral Risk Score (BRS) based on your interactions with training modules and phishing simulations. This score is made available to your organization (the Business) to help manage its cybersecurity program. Phished does not use the BRS to make (automated or non-automated) decisions about you directly. The Business determines how it uses this information within its own organization.

9. Your Privacy Rights

Depending on your state of residence, you may have certain privacy rights regarding your personal information. These rights apply to residents of California, Virginia, Colorado, Connecticut, and other states with applicable privacy laws. Because Phished processes your personal information as a service provider on behalf of the Business, most rights requests must be directed to the Business. Phished will assist the Business in responding to your request as required by law. Phished will not respond to your request directly, and shall forward it to the Business, unless explicit instructions of the Business to do so.

Below is a summary of your rights. These rights can be complex, so this section does not cover every detail or exception. To learn more, you can review the applicable laws or contact the Business.

  1. Right to Know: You may have the right to request that we disclose the categories of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected about you.
    1. Right to Correct: You may have the right to request that we correct inaccurate personal information we maintain about you.
    2. Right to Delete: You may have the right to request that we delete personal information we have collected from you, subject to certain exceptions. For example, we may retain personal information where necessary to complete a transaction, detect security incidents, comply with a legal obligation, or for other purposes permitted under applicable law.
    3. Right to Data Portability: Where technically feasible, you may request that we provide your personal information in a portable format that allows you to transmit it to another business.
    4. Right to Opt Out of Sale or Sharing: Phished does not sell your personal information and does not share it for cross-context behavioral advertising. If this changes in the future, we will update this Privacy Policy and provide you with the right to opt out.
    5. Right to Limit Use of Sensitive Personal Information: To the extent we collect sensitive personal information (as defined under applicable law), we use it only to the extent necessary to deliver our services and for other permitted purposes. We do not use or disclose it for inferring characteristics about you.
    6. Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
    7. Right to Opt Out of Targeted Advertising: Phished does not engage in targeted advertising using your personal information collected from our website. If this changes, we will notify you and provide an opt-out mechanism.
    8. Right to Appeal: If we deny your privacy request, you may appeal our decision by contacting us at [email protected]. We will respond to your appeal within the timeframe required by your state's law. If your appeal is denied, you may contact your state Attorney General's office.
    9. Filing a Complaint If you believe your privacy rights have been violated, you may file a complaint with your state Attorney General's office or, for California residents, with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

  1. Updates

Phished reserves the right to update this Privacy Policy from time to time to reflect technological developments, changes in applicable law, and evolving business practices. The current version and its effective date will always be indicated at the top of this document.

PRIVACY POLICY PHISHED.IO (UK)

Privacy policy phished.io (UK)
Version 2024-08

Phished BV undertakes to process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and other applicable legislation.

1. The Controller

Phished BV (hereinafter referred to as 'Phished', 'we', 'us' or 'our') with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and with registration number 0735.908.019, is the controller for the processing of your personal data for the purposes as described in this data protection policy.

2. Contact details

If you would like to contact us regarding this policy, you can do so by sending an email to our DPO: [email protected].

If you contact us because you wish to exercise one of your rights (see section 8), please clearly indicate which right you wish to exercise. Please be as specific as possible when exercising your rights.

3. The personal data we process

Depending on your role or capacity, we collect the following data:

  • Customers (and their representatives): general identifiers (such as name, title/position, address, mobile phone or phone number, email, assigned identifiers), financial identifiers (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the business, the nature of the activity, the nature of the goods/services used, business relationships), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

  • Partners (and its representatives): general identifiers (such as name, title/position, address, mobile phone or telephone number, email, assigned identifiers), financial identifiers (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the business, the nature of the activity, the nature of the goods/services used, business relationships),  contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

  • Prospects (and their representatives): general identification data (such as name, title/position, address, mobile phone or telephone number, e-mail), professional activities (including the nature of the activity, the nature of the goods/services used, business relationships), all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

  • Suppliers (and their representatives): general identifiers (such as name, title/position, address, mobile phone or telephone number, email, assigned identifiers), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the nature of the activity, the nature of the goods/services used), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

  • Job applicants: all personal data that has been lawfully provided to Phished (such as a CV and/or cover letter);

  • Website visitors: personal data collected via cookies (see our cookie policy);

  • Social media users: advertising through the personal data users provide via social media channels.

In the performance of its activities, Phished can also act as a processor of your personal data (for example, when sending a phishing simulation to a target group specified by our customer). In this case, the processing of personal data by Phished, as a processor, is part of the agreements between Phished and the controller(s)/our customer. These processing activities are not included in this privacy policy. In this context, we refer to the privacy policy for end users.

If you provide us with personal data from a third party, such as your staff, freelancers, customers, suppliers, partners, you guarantee to Phished that you (a) have lawfully obtained such personal data from the third party and have lawfully provided it to Phished, (b) have provided Phished with personal data that is accurate and up-to-date and (c) have provided the said person with relevant information about the existence and content of this policy.

4. Purposes

You are not obliged to share your personal data with us, but if you do not share the requested personal data with us, we may not be able to provide you with the requested services and/or products. We process the personal data for the following purposes:

4.1.   Execution of the agreement: the creation of a personal account and/or profile, the correct execution and fulfilment of the agreements (including communications), invoicing, customer service and support (so that we can help you with questions and/or problems).

4.2     Purchases via website: the correct execution of and compliance with the agreements regarding purchases via the website (including communications), the processing of orders and any after-sales service, invoicing.

4.3     Direct marketing: the sending notifications via email and/or newsletters. If you no longer wish to receive these messages, you can use the opt-out provided. After that, you will no longer receive the unsolicited direct marketing messages and we will no longer process your personal data for these direct marketing purposes.

4.4.    Applicant Management: to assess applicants' suitability for open positions, for recruitment, selection and, where applicable, the drafting of an employment contract.

4.5.    Necessary for the functioning of our company: to improve and optimize our services (e.g. by means of cookies and advertisements via social media), to maintain and improve the website (e.g. by means of cookies), to ensure the security of our website and services, to prevent misuse or improper use of our services, to store personal data as evidence or for the purpose of legal proceedings,  administrative or out-of-court procedures, to store personal data for the purpose of obtaining or maintaining insurance coverage, managing risks or seeking expert advice, to store personal data to ensure attendance at / participation in events.

4.6.    To comply with legal obligations (e.g. in relation to anti-money laundering and counter-terrorism legislation).

5. Lawful basis for the processing activities

The processing of personal data under sections 4.1 and 4.2 is based on the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract.

The processing of personal data of prospects under section 4.3 and the processing of personal data by means of cookies (other than strictly necessary and functional cookies) under section 4.5 is based on the consent of the data subject.

The processing of customer personal data under Section 4.3 and for the first contact with prospects, as well as the other processing of personal data under Sections 4.4 and 4.5 is based on our legitimate interests (only when the legitimate interest of our business overrides the interests of the data subjects). The interests are set out in sections 4.3 - 4.5.

The processing of personal data under section 4.6 is necessary for compliance with a legal obligation to which we are subject.

6. Sharing your personal data with third parties/international transfers

We only provide relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract with Phished. Of course, we have made agreements with these parties about the protection of your personal data.

Phished may disclose personal data when this is necessary to comply with a legal obligation to which we are subject, or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary for the establishment, exercise or defence of legal claims, in legal proceedings or in administrative or out-of-court proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision or standard clauses, appropriate safeguards, binding corporate rules or exchanges as referred to in Article 49 (1) GDPR.

In the event of a total or partial reorganization, merger, demerger, acquisition or sale of assets, we are entitled to transfer personal data to the relevant third party.

You accept that personal data that you submit for publication through our website or services may be available worldwide via the Internet. We cannot prevent the use (or misuse) of such personal information by others.

7. Storage and deletion of personal data

We only retain personal data for as long as necessary to achieve the purpose set out above. Because the retention period depends on the purpose, but also on the type of personal data, these retention periods vary.

8. Your data protection rights

Your requests regarding the exercise of your data protection rights should be addressed to [email protected].

For your informational purposes and for the sake of clarity, we have summarised your rights under the GDPR in this section. Because some of these rights are complex, not all of the details are included in this summary. Therefore, you can read the relevant laws and regulations for a full explanation of these rights or contact the Data Controller.

In order to exercise your rights, you must also provide sufficient proof of your identity. In this context, we recommend that you attach a secure copy of your personal data to your request. A protected copy involves blurring all non-essential information and adding a watermark. This watermark should include the purpose of the copy, the recipient, and the date of issue. The only information necessary is your name (so all other information can be blurred).

  • Right of access: you have the right to be informed about whether your personal data is being processed by us, and, if so, to access the personal data, together with the additional information mentioned in Article 15 of the GDPR. If the protection of the rights and freedoms of others is not affected, we will provide you with a copy of your personal data.

  • Right to rectification: you have the right to have inaccurate and/or incomplete personal data corrected and/or completed.

  • Right to erasure: You have the right to have your personal data erased in the circumstances mentioned in Article 17 (1) GDPR, such as when you withdraw your consent to consent-based processing or object to processing for direct marketing purposes.

Phished will then delete your personal data without undue delay, unless the exclusions mentioned in Article 17 (3) GDPR apply. For example, Phished does not have to delete your data if the processing is necessary to comply with a legal obligation.

  • Right to restriction of processing: you have the right to restrict the processing of your personal data in the circumstances mentioned in Article 18 (1) GDPR, such as if you contest the accuracy of the personal data.

  • Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and to transmit such data to another controller if (a) the processing is based on consent or is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a data contract, and (b) such processing is automated. However, this right does not apply if it would harm the rights and freedoms of others.

  • Right to withdraw consent: insofar as the processing ground for the processing of your personal data by Phished is based on consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.

  • Right to lodge a complaint with the supervisory authority: we always encourage you to forward any questions, comments or complaints you may have regarding the processing of your personal data in accordance with section 8. In any case, and in particular if you do not agree with Phished's position regarding a complaint/request or the way in which your request was handled (for example, if you believe that our processing of your personal data violates data protection legislation or if you have comments about the use of your personal data), you have the right to  the right to lodge a complaint with the competent supervisory authority, including the Belgian Data Protection Authority (online or by sending a letter to the Data Protection Authority with address Drukpersstraat 35, 1000 Brussels).

  • Right to object to processing: You have the right to object to the processing of your personal data by Phished for direct marketing purposes at any time. You can do this via the 'opt-out' option. After that, you will no longer receive the unsolicited direct marketing messages, and we will no longer process your personal data for these direct marketing purposes. If the processing of your personal data is necessary for another purpose, you may of course still receive communications in the context of this purpose.

You also have the right to object to the processing of your personal data by Phished based on Article 6 (e) or (f) GDPR on grounds related to your situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate/lawful grounds for the processing which override your interests, rights and freedoms, or the processing is necessary to establish, exercise or defend legal claims.

In addition, you have the right to object to our processing of your personal data for scientific, historical or statistical (research) purposes on grounds relating to your situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

9. Cookies

You can read more about our use of cookies at the following link.

10. Updates

Phished reserves the right to make changes and/or updates to this privacy policy to take into account technological advancements, changes in laws and regulations and good business practices.

End user privacy policy (UK)
Version 2025-04

Phished BV (hereinafter "Phished", "we", "us" or "our") undertakes to process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and other applicable legislation.

Phished processes your personal data for and on behalf of its customer, the organization that will use our services. Phished therefore qualifies as a processor of your personal data; and qualifies the customer as a data controller.

The controller may have its own privacy policy/data protection policy regarding the processing of your personal data by Phished, in which case the policy of the controller should be read in conjunction with this policy. In the event of a conflict, the controller's policy will take precedence (as certain specific arrangements may have been made between you and the controller).

1. The Data Controller

Your organisation/employer/designator (hereinafter referred to as "the Controller") has appointed you as part of the target audience of end users of the following services (hereinafter "Services"), which are provided by Phished:

  • the creation of a Phished user account of the employees of the Controller (in the broadest sense of the word, hereinafter referred to as "Employees");

  • carrying out simulated phishing attacks on the Controller's logged-in Employees (and the Controller's systems);

  • training employees through e-learning;

  • the automatic delivery (via web portal) of detailed reports with regard to the results of this.

The Controller and Phished have entered into an agreement on the performance of these Services

2. The Processor

Phished BV, with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and company number 0735.908.019, is the processor for the processing of your personal data with a view to the performance of the Services.

3. Contact details

If you would like to contact us about this data protection policy, please contact us by email to our DPO: [email protected].

If you wish to exercise any of your rights (see point 8), we kindly ask you to contact the Data Controller.

4. The personal data we process

We process the following categories of your personal data:

  • name

  • e-mail address;

  • language;

  • open/click/report behavior and results regarding the Phished Academy and phishing simulations.

Optionally, we also process the following categories of personal data:

  • department and/or function within the company;

  • geographical location of the company and/or establishment where you are employed;

  • mobile phone or phone number;

  • e-mail data relating to reported e-mails, depending on the settings in the Controller's Phished account:

    • If the Data Controller chooses the option "handle reports in application" or "handle reports in application & forward reports to email" in their Phished account and possible phishing emails are reported:

      • via the Phished Report Button in Gmail: Phished only processes the body of Gmail messages (incl. attachments), metadata, headers, and settings, to identify an email as a phishing simulation of Phished or as a potential phishing threat when reported via the Phished Report Button. This data will be encrypted and the processing will also comply with the Google API Services User Data Policy, including restricted use requirements.

        • via the Phished Report Button in Outlook: Phished will only process Outlook message bodies (incl. attachments), metadata, headers and language settings, to identify an email as a phishing simulation of Phished or as a potential phishing threat when reported via the Phished Report Button. This data is encrypted.

        • by forwarding them: Phished will only process the message bodies (incl. attachments) and headers to identify an email as a phishing simulation of Phished or as a potential phishing threat when it is forwarded. This data is encrypted.

      • If the Controller has chosen the option "forward reports to e-mail" in the Phished account and when any phishing e-mails are reported to Phished via the Phished Report Button in Gmail or Outlook or by means of forwarding, Phished will not process these e-mails.

This data is provided to us by the Controller, who (a) has lawfully obtained such personal data from you and has lawfully provided it to Phished, (b) Phished has provided personal data that is accurate and up-to-date, and (c) will provide you with relevant information about the processing activities.

5. Purposes and lawful basis for processing

We process the personal data because it is necessary for the performance of the Services (lawful basis for processing). In this context, we process your personal data for the following purposes on behalf of the Data Controller:

  • making the Phished software available in accordance with the agreements between Phished and the Controller (including, but not limited to, creating a user account for you and ensuring the proper functioning of the Phished software);

  • raising awareness of the dangers of phishing through the Phished software and tracking the users of the software, including (but not limited to):

    • Sending and receiving communications via email, SMS, or voice message (depending on settings) (e.g., phishing simulation notification or a suspected real phishing email).

      • These do not constitute direct marketing. However, if you no longer wish to receive these communications, you should contact the Data Controller. Only the Controller can instruct us to stop this e-mail traffic. However, we do not recommend this to the Controller, as you (as a user) will no longer benefit from our training and the Controller will benefit best from training if as many of its Employees as possible participate. This is because the Controller invokes its legitimate interest, which allows it, subject to a correct weighing of interests, to reject your request.

    • Making available the reporting of e-mails to determine whether it concerns phishing simulations sent by Phished, as well as any threats of real phishing e-mails.

    • Organizing continuous performance management: keeping track of personal goals, 1-on-1s and feedback for you.

    • Continuously measuring engagement through the Phished Academy, for example based on the training sessions (including a set of questions) of Phished or a self-chosen set of questions or training session of the Controller.

    • Storaging of phishing results.

    • Keeping phishing results available to the Controller via statistics.

    • Continuously modifying the phishing simulations.

Phished will not process your personal data for purposes other than for the performance of the Services and/or for the fulfilment of the responsibilities laid down in the agreement between Phished and the Controller. Phished will only process your personal data on behalf of the Controller and in accordance with the documented instructions of the Controller.

6. Sharing the personal data with others/international transfers

We only disclose relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract with Phished. Of course, we have made agreements with these parties about the protection of your personal data. The Data Controller has been informed of these third parties via the agreement we’ve concluded with them.

Phished may disclose personal data when this is necessary to comply with a legal obligation to which we are subject, or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary for the establishment, exercise or defence of legal claims, in legal proceedings or in administrative or out-of-court proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision, standard clauses, appropriate safeguards, binding corporate rules or transfers as referred to in Article 49(1) of the GDPR.

In the event of a total or partial reorganization, merger, demerger, acquisition or sale of assets, we are entitled to transfer the personal data to the relevant third party.

7. Storage and deletion of personal data

The personal data will be kept for the duration of the contract between Phished and the Controller and will be deleted after12 months of inactivity after termination of your account. Unless otherwise agreed between Phished and the Controller, we may further use anonymized aggregated data, which is not personal data, to improve our services.

In any case, the Controller may contact us at any time regarding a request to anonymise or delete certain personal data (for example, if you no longer work for the Controller). If you wish to have your data deleted, you must contact your Data Controller (in conformity with point 8).

8. Your data protection rights

Your requests regarding the exercise of your data protection rights should be addressed to the Data Controller, who is responsible for handling this request. These will not be handled by Phished under any circumstances, unless we’ve been explicitly instructed by the Controller.

For your information and clarity, we have summarised your rights under the GDPR in this section. Because some of these rights are complex, not all of the details are included in this summary. Therefore, you can read the relevant laws and regulations for a full explanation of these rights or contact the Data Controller.

To exercise your rights, you must provide sufficient proof of your identity. In this context, we recommend that you attach a secure copy of your personal data to your request. A protected copy involves blurring all non-essential information and adding a watermark. This watermark should include the purpose of the copy, the recipient, and the date of issue. The only information necessary is your name (so all other information can be blurred).

  • Right of access and a copy of your personal data: you have the right to be informed about whether your personal data is being processed by the Data Controller and, if so, to access this personal data, together with the additional information mentioned in Article 15 of the GDPR. If the protection of the rights and freedoms of others is not affected, the Data Controller will provide you with a copy of your personal data.

If you request a copy of the data of your data processed by Phished, you must address this request to your Controller. We inform you that, if we receive your request via the Data Controller, we can only provide a copy of the following personal data:

  • Your name;

  • Your e-mail address;

  • The unique number associated with your user account (UID).

All other categories of personal data (see above) are encrypted for Phished (where the encryption key is managed by a third party). Therefore, we cannot reasonably provide you with a copy of this data. However, the Controller can provide a copy of this.

This is part of the principle of 'Security by Design', as our platform is structured in such a way that the personal data that Phished can consult is limited to what is strictly necessary.

  • Right to rectification: you have the right to have incorrect and/or incomplete personal data corrected and/or supplemented.

  • Right to erasure: you have the right to have your personal data erased in the circumstances mentioned in Article 17(1) of the GDPR, such as when you withdraw your consent to processing based on consent.

Please note that your personal data has not been collected for the use of the Services by the Data Controller based on your consent, but based on their legitimate interest.

  • Right to restriction of processing: you have the right to restrict the processing of your personal data in the circumstances set out in Article 18(1) GDPR, for example in the event that you contest the accuracy of the personal data.

  • Right to data portability: you have the right to receive the personal data concerning you that you have provided to the Data Controller in a structured, commonly used and machine-readable format and to transmit this data to another Data Controller if (a) the processing is based on consent or is necessary for the performance of a contract to which you are a party or to take steps at your request. prior to entering into a contract, and (b) this processing is automated. However, this right does not apply where it would harm the rights and freedoms of others.

In the admin manual, which is made available by Phished to the Controller, the Controller can find for which data such an export is possible.

  • Right to withdraw consent: To the extent that the lawful basis for the processing of your personal data is consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.

  • Right to file a complaint with the supervisory authority: we always encourage you to forward any questions, comments or complaints you may have regarding the processing of your personal data to your Data Controller. In any case, in particular if you do not agree with the position of your Controller and/or Phished in response to a complaint/request or the way in which your request was handled by (for example, if you believe that our processing of your personal data violates data protection legislation or if you have comments about the use of your personal data),  the right to lodge a complaint with the competent supervisory authority, including the Belgian Data Protection Authority (online or by sending a letter to the Data Protection Authority with address Drukpersstraat 35, 1000 Brussels).

  • Right to object to processing: You have the right to object to the processing of your personal data for direct marketing purposes at any time, as long as the exclusions mentioned in Article 17(3) GDPR do not apply (for example, if the processing is necessary to comply with a legal obligation).

You also have the right to object to the processing of your personal data based on Article 6 (e) or (f) GDPR on grounds relating to your particular situation. In addition, you have the right to object to the processing of your personal data for scientific, historical or statistical (research) purposes on grounds relating to your particular situation.

9. Cookies

You can read more about our use of cookies via the following link.

10. Updates

Phished reserves the right to make changes and/or updates to this Data Protection Policy to take into account technological advancements, changes in laws and regulations and good business practices.